Content uploaded by Karl Meinke

Author content

All content in this area was uploaded by Karl Meinke on Oct 22, 2018

Content may be subject to copyright.

Quantitative Safety Analysis of a Coordinated

Emergency Brake Protocol for Vehicle Platoons

(Preprint not for review)

Carl Bergenhem1, Karl Meinke2??, Fabian Str¨om2

1. Qamcom Research and Technology AB,

Falkenbergsg. 3, 41285 Gothenburg, Sweden,

2. School of Electrical Engineering and Computer Science,

KTH Royal Institute of Technology, 100 44 Stockholm, Sweden

Abstract. In this paper, we present a general methodology to estimate

safety related parameter values of cooperative cyber-physical system-of-

systems. As a case study, we consider a vehicle platoon model equipped

with a novel distributed protocol for coordinated emergency braking.

The estimation methodology is based on learning-based testing; which is

an approach to automated requirements testing that combines machine

learning with model checking.

Our methodology takes into account vehicle dynamics, control algorithm

design, inter-vehicle communication protocols and environmental factors

such as message packet loss rates. Empirical measurements from road

testing of vehicle-to-vehicle communication in a platoon are modeled

and used in our case study. We demonstrate that the minimum global

time headway for our platoon model equipped with the CEBP function

scales well with respect to platoon size.

Keywords: vehicle platoon, learning-based testing, Co-CPS, safety boundaries,

quantitative analysis, coordinated braking

1 Introduction

A vehicle platoon (or road train) is a collection of vehicles that coordinate and

collaborate to reach goals such as traveling to a certain destination, while also

improving e.g. safety, fuel economy and driver comfort. One challenge for pla-

toon design is coordination of a platoon-wide emergency brake by means of a

distributed protocol (CEBP). The overall goal is to avoid collisions within the

platoon while still performing braking as eﬃciently (i.e. with as high decelera-

tion) as possible. To justify the deployment of a CEBP solution it is necessary to

quantitatively analyse its behaviour, especially properties that impact on safety.

In this paper, we introduce a new methodology to estimate quantitative

parameters related to safety properties of cooperating cyber-physical systems

?? corresponding author karlm@kth.se

(Co-CPS). Our approach is based on the method of learning-based testing (LBT)

[23]. We illustrate this methodology by estimating safety related parameters of

a platoon model that includes a novel CEBP algorithm. This case study is in

many ways generic. It therefore supports the claim that our parameter estimation

methodology could be extended to a wider variety of cyber-physical system-of-

systems through the use of simulators and virtualised environment modeling.

This is one goal of the EU project Safe Cooperating Cyber-Physical Systems

using Wireless Communication (SafeCOP 1).

In a platoon, the lead vehicle can be manually driven and the followers (one or

more) follow the leader automatically; using control algorithms for longitudinal

and lateral motion. The target inter-vehicle headway is small enough (e.g. <1 s)

that dependable communication is required for the platoon to be safe. A platoon

capable vehicle has the technologies (e.g. communication) to lead or follow in a

platoon. Issues concerning positioning, e.g. accuracy and reliability of GPS and

security, are out of scope here.

A platooning system can be considered to be a cooperative cyber-physical

system-of-systems (Co-CPS). This is because vehicle-to-vehicle (V2V) communi-

cation is an enabler for the technology [33]. Failures in a platoon (e.g. poor V2V

communication) could potentially cause physical harm. Safety analysis for Co-

CPS introduces many technical challenges. Basic problems include the system

size, and the existence of black-box third-party components, which can make it

technically infeasible to perform a full static analysis (see e.g. the conclusions on

platooning of [17]).

For this reason, learning-based testing (LBT) [21] is an interesting contri-

bution to safety studies of Co-CPS. LBT combines promising aspects of both

testing, simulation and model based analysis. By inferring black-box abstractions

of a complex system, as well as using parallel simulation to accelerate learning,

we can can obtain approximate but accurate results with a good degree of scal-

ability.

LBT uses machine learning to reverse engineer multi-vehicle system-of-system

(SoS) models. These SoS models can then be subject to glass-box analysis tech-

niques, such as model checking, to check violation of safety requirements. Previ-

ously in [22], we have used LBT to analyse platooning systems from the perspec-

tive of qualitative safety properties, such as vehicle collisions. In this paper we

extend the scope of LBT to quantitative estimation of safety related parameters.

We show how to use LBT to numerically estimate an minimum value of an SoS

parameter such that a given system safety property is not violated. This will

typically be a parameter that can be tuned to optimise a speciﬁc product for

some desired performance. Thus it might be overtuned in a way that can com-

promise safety or is inappropriate for an environment in some (possibly rare)

scenario.

A pertinent example of parameter estimation arises in our platooning case

study. Here inter-vehicle distance and time gaps are typically reduced to a min-

imum in order to save fuel. The question arises: what is the minimum value that

1See www.safecop.eu.

could be chosen for all inter-vehicle gaps such that no crashes occur due to ve-

hicles being too close? This minimum value is inﬂuenced by many factors, not

only in the vehicle design itself, but also by environmental factors such as V2V

communication packet loss.

Our approach to quantitative parameter estimation involves performing mul-

tiple LBT sessions to eﬃciently reﬁne an estimate interval. This computationally

intensive analysis becomes more feasible when simulators, models and the ap-

propriate machine learning algorithms are executed on inexpensive multi-core

hardware, which is increasingly available. We deﬁne a speciﬁc method for pa-

rameter estimation using LBT. We then illustrate it by applying it to study

our distributed CEBP algorithm integrated in a platoon simulator. The CEBP

algorithm is an exemplar of the Co-CPS paradigm of decentralised distributed

control. An optimal design for a CEBP is inﬂuenced by many factors such as

pre-existing platoon control algorithms, underlying physical dynamics models,

inter-vehicle communication protocols and environmental features.

Although many safety hazards impacted by CEBP could be studied, in this

paper we focus on the safety hazard due to message packet loss arising from radio

interference. We estimate the minimum global time headway for diﬀerent platoon

sizes under both perfect communication and stochastic packet loss. This is the

minimum time headway between all platoon vehicles that allows collision free

motion. By extending the learning time of LBT, we can improve the reliability

of this estimate to any given level.

The stochastic packet loss model we use is based on empirical data from

V2V communication measurement during physical road tests with a platoon.

This stochastic packet loss model, a communication protocol model and a CEBP

implementation are then integrated with the platoon simulator described in [22]

to model communication and vehicle dynamics performance. The main emphasis

of our work however is on the analysis methodology itself, and not the problem

of fully accurate platoon modeling. Since we use black-box learning methods,

only platoon behavior, and not architecture or code structure are inferred. Thus

our LBT approach can be transferred to more complex platoon models without

diﬃculty.

1.1 Related Work

A platooning system for trucks with focus on fuel eﬃciency is presented in [20].

A brief survey of other vehicle platooning systems is given in [3]. Cooperative

adaptive cruise control (CACC) is a similar technology to platooning, but has

its focus entirely on maintaining steady-state longitudinal control. Emergency

braking in a platoon is also studied in [13]. Here, a dedicated communication

protocol and a novel controller (including control topology), that takes into ac-

count packet losses, is investigated. Assumptions of bounded packet losses are

made to be able derive bounds of headway. In [32] diﬀerent CACC strategies are

evaluated regarding headway using simulation. Several diﬀerent parameters asso-

ciated with uncertainty are considered, including packet loss. An event-triggered

control scheme and communication strategy is developed for platooning in [8].

Examples of static analysis applied to platooning problems where the collision

free property is studied are [7,9]. In [17] it is shown that verifying vehicle code

does not scale well to the entire system-of-systems, and a mixed top-down and

bottom up veriﬁcation strategy are applied.

Some (but not all) of the problems encountered in message packet loss in Sec-

tion 6 are related to compression waves within platoon simulations. Hence they

are somewhat related to the well-known phenomenon of string instability. The

eﬀects of string stability and a networked control system have been studied in

[26]. Here an analytical approach of string stability is presented for a CACC ap-

plication; where each vehicle is controlled by its predecessor. Quantitative results

are given through an approach based on an analytical method. Communication

deﬁciencies are described in terms of a Maximum Allowable Transmission Inter-

val and Maximum Allowable Delay, rather than as a stochastic model of packet

loss. Safety is interpreted as string stability, rather than the crash condition of

zero distance between vehicles.

In [31] an analytical framework is presented which links the wireless channel

characteristics with the probability of crash in a two vehicle emergency-brake

scenario. The maximum tolerable delay, between the beginning of the emer-

gency braking by the preceding vehicle and the moment the following vehicle

starts braking, is found. The developed CPS analysis approach is applied to

demonstrate how V2V communication packet losses and communication delays

impacts safe inter-vehicular distance for speciﬁed kinematic parameters of vehi-

cles movements.

1.2 Organisation of the Paper

The rest of the paper is organised as follows. Section 2 presents measurement

of V2V communication in a platoon of trucks during road tests, providing the

basis of our communication model. Section 3 presents our novel CEBP algorithm.

Section 4 presents a methodology for quantitative safety analysis using learning-

based testing. Section 5 presents the platoon simulator used for safety analysis of

our CEBP algorithm. Section 6 presents the results of our quantitative analysis

of the minimum global time headway under conditions of packet loss. Finally,

conclusions and future work are given.

2 Road Testing

In this section we describe details and results of a measurement campaign2within

the Relcommh project [18] to establish packet loss levels in diﬀerent platoon

driving scenarios. These measurements of V2V communication were done using

a platoon of four trucks, (c.f. Figure 1).

The motivation for this section is twofold. On the one hand, we wish to show

in Section 6 how the reliability of quantitative safety analysis results for SoS

2The measurements were done while the ﬁrst author was employed at RISE −The

Swedish Research Institute (previously SP −Technical Research Institute of Sweden)

is inﬂuenced by the accuracy of environmental modeling. On the other hand,

there is a need in the literature to increase understanding of the environment

that a platoon is designed for. In the light of results of this section, we can point

out some unrealistic assumptions made in the literature. Our measured results

suggest that the low packet error rate used in [32] and assumption of no packet

loss in [8] are overly optimistic.

In our measurement campaign, at each periodic message broadcast (10 Hz)

from the leader truck, the perceived packet error rate (PER) at each of the

following vehicles was measured. In Table 1, the PER is presented for three

diﬀerent scenarios. Messages were 500 bytes long and 5.9 GHz V2V devices

according to ETSI standards [10] were used. Each truck had a left and right

antenna from which it could send and receive. Therefore, two PERs are given:

communication left-to-left and right-to-right. Diﬀerences between the two PERs

can be motivated with diﬀerences in the immediate surrounding of either side

of the vehicle. For example, on the left side of the motorway there is a metal

safety barrier that separates the two traﬃc directions. This may impact PER.

A motorway scenario and Tunnel scenarios were measured at 80 km/h vehicle

speeds, with 20 m and 20-50 m inter-vehicle distance respectively. In the Parked

scenario, the platoon was parked in a platoon formation with a 10 m gap between

each truck. The PER between the LV and FV1 is denoted P ERbase. First-

order linear regression was used to calculate the projected average increase in

PER for each vehicle hop (right most column in the table). This model was

then incorporated into the platooning simulator. One result (11.14 %) could

be anomalous as it falls outside the expected trend of increasing PER as the

distance between communicating vehicles (LV to FVi) increases.

Table 1: Packet Error rates (Upper: left-left, Lower: right-right)

LV to FV1 LV to FV2 LV to FV3 Average in-

crease

Motorway 3.67 %

2.72 %

18.03 %

5.93 %

40.91 %

22.13 %

18.62 %

9.70 %

Motorway

tunnel

6.39 %

6.82 %

5.85 %

6.74 %

11.16 %

11.47 %

2.39 %

2.32 %

Parked 0.57 %

2.39 %

5.89 %

14.05 %

22.13 %

11.14 %

10.78 %

4.37 %

In all measured scenarios there were instances of consecutive packet loss

(CPL). For the E4 motorway (left to left antenna) scenario the following was

found: CPL1=61.53 % (single lost packet), CPL2=36 % (two lost packets in a

row), CPL3=1.6 %, CPL4=0.8 %, CPL4..k = 0.87 %. The percentages indicate

the distribution of a certain CPL, when there is a packet loss. The largest CPL

(longest blackout, k) was eight packets in a row. This implies that the assumed

bounds on packet loss in [13] are somewhat optimistic (at most three and ﬁve

consecutive packets lost are investigated).

We note that the outcome of packet loss measurements depends on several

factors such as the radio equipment, antennas, placement and environment. Fur-

ther details of measurements in the road tests are found in [18].

LVFV1FV2FV3

Fig. 1: Communication scheme in the tests. LV denotes Lead Vehicle. FVidenotes

Following Vehicle i

3 A Coordinated Emergency Brake Protocol

In this section, a protocol for Coordinated Emergency Brake (CEBP) is pre-

sented. The goal of the protocol is to coordinate vehicles in an emergency brake

scenario to ensure safety (no crashes). An emergency brake can be initiated by

any vehicle in the platoon. Here it is assumed that the platoon of Nvehicles is

formed and no vehicles are joining or leaving. It must be ensured that the last

vehicle receives the brake command and actuates ﬁrst. Braking can commence

at the last vehicle directly when it receives the ”E-brake request” message . The

braking vehicle then sends an acknowledgement (ACK) forward with an ”E-

brake ACK” message. Preceding vehicles can thus start to brake when the ACK

from succeeding vehicles arrives. E.g. FV2 cannot brake until ACK is received

from FV3 indicating that it has started to brake. This is illustrated in Figure 2.

Each vehicle also maintains a “brake-anyway”-time-out timer. When the timer

expires, the vehicle will brake directly and signal this, with an ”E-Brake di-

rectly” message, to the other vehicles. The value of the time-out corresponds to

the expected latency for a returning ACK. Message sending can be done with

event-triggered directed broadcast, i.e. there is a sender and an explicit receiver,

but the message may be overheard by other vehicles within the platoon. In this

case, a vehicle can prepare its brakes in anticipation of the ACK from succeeding

vehicle.

We assume that vehicles entering the platoon cannot be sorted according

to deceleration capability. Instead, other sorting goals may have priority; such

as destination or aerodynamic performance. Not having a sorting procedure at

vehicle join implies that a brake strategy, i.e. the description of how vehicles

will brake in the event of an emergency brake, must be found in another way. A

simple way is to limit braking of the platoon according to the vehicle with least

LV

-8 m/s2FV1

-4 m/s2FV2

-6 m/s2FV3

-5 m/s2

Fig. 2: An E-brake command from the LV. The acknowledgement then propagates back

to the LV −from back to front.

deceleration capability, as is done in [25]. Alternatively, an algorithm could ﬁnd

cliques of vehicles in the platoon that will brake together with a lowest common

brake capability. In Figure 2 the actual deceleration capabilities are shown for an

example platoon, e.g. -8 m/s2for the lead vehicle. As vehicles join the platoon,

brake cliques will be formed, e.g. Clique 1 = (LV, FV1, -4 m/s2), Clique 2 =

(FV2, FV3, -5 m/s2). The agreed deceleration of cliques increases towards the

rear, implying that the last clique will brake the most. Note that this implies a

voluntary reduction of deceleration capability in some vehicles. An algorithm for

ﬁnding the brake strategy in the platoon is left for future work. CEBP assumes

that a brake strategy has been decided and all vehicle will brake equally. The

members and order of the platoon are known.

Our CEBP algorithm has been implemented and integrated into each vehicle

in the platooning simulator of [22]. It has been studied using our quantitative

safety analysis method described in Section 4 and the results are presented in

Section 5.

3.1 Pseudo code

Pseudo code for the CEBP is presented in Algorithm 1. Vehicles are indexed

by Viwhere i≡0 is the lead vehicle (ﬁrst vehicle, also denoted LV) and i≡

1..N −1 are the following vehicles (also denoted FV, e.g. where FV1 implies i=

1). The last vehicle is VN−1(also denoted e.g. FV3 for N= 4). The algorithm,

that is described in the pseudo-code, is executed in each vehicle in the platoon.

The index iis static in each vehicle, i.e. in each instance of the algorithm.

This implies that each vehicle knows its identity and hence its position in the

platoon. An E-brake command is assumed to come from an external system or

to be manually initiated.

Some comments regarding the code in Algorithm 1 are appropriate: On line

11, directly receiving an “E-brake request” implies that Viis the last vehicle.

This is because any vehicle that requests to E-brake will do so by sending to the

last vehicle. On line 25, an ACK is sent by a vehicle that did “brake directly”.

This is because there could be preceding vehicles that are waiting for the ACK. If

the ACK was not sent then the preceding vehicles can start to brake only after

Algorithm 1 CEBP - Loop in every vehicle

1: if Ego Vehicle Viwants to e-brake then

2: send “E-brake request” to the last vehicle in the platoon VN-1

3: end if

4: if ”E-Brake directly” is received by Ego Vehicle Vithen

5: send “E-brake request” to the last vehicle in the platoon VN-1

6: end if

7: if Ego Vehicle Vi(has sent “E-brake request” command) or (overheard “E-brake

request” or ”E-brake ACK” from Vj)then

8: prepare brake system

9: Start Timeri

10: end if

11: if “E-brake request” is received by Ego Vehicle Vifrom a preceding vehicle Vj,

where j ∈{0..i-1}then

12: Ego Vehicle Vi actuate e-brake strategy

13: send “E-brake ACK” to the next preceding vehicle Vi-1

14: end if

15: if “E-brake ACK” is received by Ego Vehicle Vifrom next succeeding vehicle Vi+1

then

16: Ego Vehicle Viactuate e-brake strategy

17: Stop Timeri

18: if i>0and has not already sent an “E-brake ACK” to preceding then

19: send “E-brake ACK” to the next preceding vehicle Vi-1

20: end if

21: end if

22: if Timerihas expired then

23: Ego Vehicle Viactuate e-brake strategy

24: send “E-Brake directly” to succeeding vehicles Vj, where j∈{i+1..N-1}

25: send “E-brake ACK” to the next preceding vehicle Vi-1

26: end if

27: if Timeriis started then

28: decrease Timeri

29: end if

their time-out counters expire. On line 24 and 25 the messages are repeated

e.g. until the algorithm is reset. On line 5 an alternative is possible. Instead of

EBR/ACK, a vehicle that receives “E-brake directly” could also do “E-brake

directly”.

4 An LBT Methodology for Quantitative Safety Analysis

In this section, we review some fundamental principles of learning-based testing

(LBT). We then show how these methods can support a quantitative approach

to safety analysis

4.1 Learning-based Testing (LBT)

We begin by reviewing the fundamental principles of learning-based testing

(LBT) as these have been implemented in our research tool LBTest. The ear-

liest version of this tool (LBTest 1.x) has been described in [24]. The current

tool architecture of LBTest 3.x is presented in Figure 3. This is a concurrent

software architecture designed to support LBT on multi-core hardware. Such

hardware supports the parallel execution of machine learning queries in multi-

ple threads, where each thread executes a copy SUTiof the system under test

(SUT) (c.f. Figure 3). This approach reduces both the simulation time and the

learning time, as the learning algorithm itself can also be parallelized. Examples

of computation time improvements by such parallelisation have been shown in

[22]. By increasing the throughput of data, a larger data set becomes available

for machine learning. This increases the accuracy or convergence of the ﬁnal

learned model and hence the reliability of quantitative parameter estimates. For

analysing complex Co-CPS behaviors, we believe that concurrency is essential.

Since the design of the architecture in Figure 3 has been discussed in [22], we

focus on the basic principles of LBT here.

LBTest uses active automaton learning aka. regular inference (see e.g. [14])

to generate queries about a black-box SUT. These queries are then executed on

the SUT as test cases, and the SUT behaviour is observed for each test case. In

an iterative and incremental process, the test cases and the SUT observations

are saved and used to build up a behavioral model of the SUT in polynomial

time [1]. This model is an automaton or state machine model.

For requirements testing, partial and incomplete models of the SUT can

already be subjected, in the early stages of testing, to model checking against a

temporal logic requirement speciﬁcation. Thus, even before the learning process

is complete, errors can be found in the SUT. This fact is important for large

and complex SUTs such as Co-CPS, where it might not be possible to learn

a complete model in any reasonable timescale, even with the use of multi-core

technology. In LBTest, propositional linear temporal logic3(PLTL) is used as

3Recall that propositional LTL extends basic propositional logic with the temporal

modalities G(φ)(always φ), F(φ)(sometime φ) and X(φ)(next φ). Other derived

operators and past operators may also be included. See e.g. [12] for details.

!!

Automaton!!

Learning!Algorithm!

!!

Model!Checker!

ﬁnal!model!!

abstrac8on!Mﬁnal&

observed!!

output!

counterexample!

on&

n!=!1,!2,!…!

SUT!1!

!

TCG!and!Oracle!

LTL!!

Requirement!!

Formula!Req&

Stochas8c!!

equivalence!

checker!

Verdict!v&

test!!

cases!

in&

LBTest!3.x!

cm&

SUT!K!

ac8ve!

query!in!

equivalence!

query!in!

Fig. 3: LBTest 3.x concurrent learning architecture

the requirements modeling language. This particular logic has the advantage

that test cases can easily be extracted from the model checker, and used to ﬁlter

out false negatives as we will show. LBTest makes use of a loosely integrated

symbolic checker NuSMV [6]. We are also developing a more tightly integrated

explicit state model checker for eﬃciency reasons. These two processes of learning

and model checking may be interleaved, an idea ﬁrst suggested in [27]. Then

they incrementally build up a sequence M1, M2, ... of models of the SUT, while

generating and executing requirements test cases on each model Mi. However,

for large and complex Co-CPS this interleaved approach is too ineﬃcient, and

model checking is then only performed on the ﬁnal model. In Section 6 we have

used model checking on the ﬁnal model only. Thus no bias to the model from

model checking and counterexample construction can exist.

To separate true negatives (genuine SUT errors) from false negatives (arti-

facts of an incompletely learned model) it is necessary to validate each counter-

example to a requirement generated by the model checker. For this we can: (i)

extract a test case representing the counter-example4, (ii) execute it on the SUT,

(iii) apply an equality test that compares the observed SUT behavior with the

predicted bad behavior from the model, and (iv) automatically generate the test

verdict (pass, fail) from step (iii).

The soundness of learning-based testing as an analysis method relies on the

soundness of the underlying model checker, and the soundness of equality testing.

4Inﬁnite counter-examples to LTL liveness formulas are truncated around the loop,

and the weaker test verdict warning may be issued.

The completeness of LBT as an analysis method relies on the completeness of

the underlying model checker, as well as convergence results about the learning

algorithms which are used (see [14]). However, within practical case studies of

large complex systems it may not be possible for learning to be completed in

any reasonable time frame (see e.g. [11]). This problem is signiﬁcant for Co-

CPS. Therefore, development of LBTest has focused on incremental learning

algorithms that can generate incomplete approximating models of the SUT in

small increments.

To measure the test coverage achieved by learning-based testing we currently

use a probably exactly correct (PEC) model of learning convergence as follows.

In Figure 3, a stochastic equivalence checker is shown. This checker empirically

estimates the behavioral accuracy of the ﬁnal learned model Mf inal for replicat-

ing the behavior of the SUT on a randomly chosen set of input sequences. For

this, the input sequences are executed both on the SUT and the model. We then

measure the percentage of behaviorally identical output sequences generated by

both. This learning convergence model is more restrictive than the probably ap-

proximately correct (PAC) convergence model of [30]. There are two motivations

for this: (i) our automaton learning framework does not readily support notions

of approximate equivalence between data values, and (ii) for software safety anal-

ysis exact equality of data values (inputs or outputs) is often a pre-requisite to

infer failed test cases.

4.2 Quantitative Parameter Estimation

A qualitative safety analysis of platooning using LBT was given in [22]. Here

we extend this previous approach to quantitative parameter estimation. We are

interested to estimate the minimum values of numerical system parameters (such

as inter-vehicle distance and time headway) which lie on the boundary between

safe and unsafe system behavior.

More precisely, in quantitative parameter estimation, the problem is to esti-

mate the minimum value vmin of some continuous SUT parameter psuch that

an LTL safety property prop is not violated. The parameter pcould be an in-

put variable, or a system constant that must be set to an optimal value. Now p

may or may not explicitly appear in the formula prop but it should be able to

inﬂuence its truth value (see e.g. the formula Eq 1 in Section 6).

If we can assume that the safety property prop varies monotonically with p,

then this allows us to use a binary chop search to iteratively halve an estimate

interval vmin ∈[vi

true, v i

false] for i= 0, ..., n. Here, vi

true is the current upper

bound where prop is true and vi

false is the current lower bound where prop is

false. The search begins from two initial endpoints [v0

true, v 0

false] that can be

obtained by conservatively over-estimating and under-estimating the value of

vmin.

For a binary chop search, as usual we iterate the boundary search process by

reﬁning one of the endpoints. Thus: (i) vi+1

true := vi

true +vi

false/2 if LBT cannot

ﬁnd a counterexample to prop on the midpoint up to a given learning convergence

value. Otherwise: (ii) vi+1

false := vi

true +vi

false/2. Then we carry forward into the

next iteration the other endpoint vi+1

false := vi

false in case (i) and vi+1

true := vi

true

in case (ii) respectively. This process is iterated until a desired interval accuracy

[vn

true, v n

false] is achieved.

Reﬁnement of the boundary vi

true is of course problematic here, since just

because a counterexample has not been found by LBT, this does not mean that

it does not exist. This is particularly true if the learned models are incomplete.

Therefore, we emphasize that our methodology is a parameter estimation tech-

nique based on systematic testing, and not a veriﬁcation technique. As such, our

methodology provides an alternative to a traditional Monte-Carlo estimation of

vmin. However, we believe there are three signiﬁcant advantages to our approach

compared with Monte-Carlo techniques, based on the use of machine learning.

(1) The explicit construction of a model using machine learning gives a more

powerful artifact than simply a set of execution traces (as used in Monte Carlo

estimation). This model allows us to analyze complex requirements properties,

including safety, fairness and liveness issues. These properties cannot be seman-

tically evaluated on traces alone, i.e. they are global properties of a model.

(2) Convergence estimates for the model give more insight into reliability of

the estimate for vmin than simply measuring the size and statistical signiﬁcance

of a randomly chosen Monte Carlo sample set. This fact is easily demonstrated,

for if complete learning succeeds then a Monte Carlo approach is never aware

of this and will underestimate the statistical signiﬁcance of the result. A related

aspect to this is the third advantage.

(3) The random query set associated with a Monte Carlo estimate contains

signiﬁcant redundancy when compared with a query set generated by active

automaton learning. Said diﬀerently, random querying is a very ineﬃcient way

to learn the structure of an automaton.

5 A Platooning Simulator

The simulator implements a model for each platoon vehicle behaviour as well as

a communication framework for inter-vehicle (V2V) communication modelled on

the IEEE 802.11p protocol. The platooning simulator is capable of simulating an

N-vehicle platoon travelling in one dimension along a roadway. It is an extension

of the simulator presented in [22]. No steering model (i.e. lateral movement) is

currently present in the simulator. This extension is part of ongoing research

into more general spatio-temporal logic requirements modeling for Co-CPS, see

e.g. [19].

5.1 The Vehicle Model

A key control algorithm in the platooning simulator is the longitudinal posi-

tion controller. For this, we have implemented several published ACC algorithms

which control the CACC component of each vehicle (see [29] for detailed descrip-

tions of each). The speciﬁc ACC evaluated in Section 6 is Kakade’s algorithm

[16], which was chosen for its simplicity and a basic tendency to propagate com-

pression waves. We were interested to know whether this eﬀect, in combination

with message packet loss, could disturb emergency braking, and whether LBTest

could discover such a problem.

In the simulator there is a detailed model of vehicle braking. This includes

a complete industrial model of a brake-by-wire subsystem featuring: (i) global

brake torque distribution to individual wheels, (ii) ABS functionality based on

slippage detection, and (iii) a friction model for tyres based on slippage rate using

common physical parameter values. The simulator also includes e.g. odometry

and V2V communication. The most relevant missing models are engine, power-

train and suspension models. While these models could easily be added by using

an industrial simulator such as TruckMaker [15] (which is ongoing research) they

would not invalidate the basic methodology of this paper.

Environment models in the simulator deal with air resistance and road fric-

tion. We assume a constant road friction value for simplicity. A message packet

loss model, based on the data of Section 2 was used. To provide determinis-

tic and repeatable behavior (with the exception of packet loss), the simulator

is based on synchronous execution of all vehicle components. The fundamental

simulation cycle is one millisecond, which provides adequate simulation accuracy

for the control algorithms.

5.2 The Communication Model

The communication framework assumes wireless broadcast and point-to-point

multi-hop communication between the vehicles in the platoon. A slotted TDMA

scheme based on ideas from [5] is implemented: To avoid communication colli-

sions, each vehicle Viis allowed to transmit only in its own TDMA slot.

As communication is broadcast-based, receiving vehicles can loose packets

independently during a broadcast operation. Thus a packet can be received by

one vehicle and lost by another. For example a broadcast from the LV is correctly

received at FV1 and FV2, but not FV3, see Figure 1. In a platoon of Nvehicles,

for any sender Viand receiver Vj(where 0 ≤i, j ≤N−1, i6=j) let d=|i−j|

correspond to the distance between the sender and receiver. The probability Pin

percent of a message being lost is P(message lost) = P E Rbase+increase·(d−1).

Note that with the values from the road test, the probability of message loss

(from the LV to the last vehicle) is 100% in a platoon of eight vehicles or more;

hence every message is lost (unless e.g. multi-hop communication is used).

6 A Case Study in Quantitative Safety Analysis

In this section, we present a case study of applying our quantitative parame-

ter estimation method. The aim was to estimate the minimum safe global time

headway for a platoon which has two modes of behavior: high speed cruising and

emergency braking.

The local time headway hwi(t) between two consecutive platoon vehicles Vi

and Vi+1 at time tis the time which would be needed for Vi+1 to cross the

gap which exists between Viand Vi+1 at time t5. This local dynamic parameter

measures the inter-vehicle gap in terms of time rather than distance. As a runtime

parameter to the CACC of Vi+1, its driver can set a desired value HW ifor

hwi(t), according to relevant safety and fuel economy criteria. Typical values

for H W iare in the range 1.5 to 2.0 seconds [4]. This desired value HW iis

then maintained by the CACC. Peturbations to hwi(t) through lead vehicle V0

actions, will lead to short term deviations of hwi(t) from H W i, which should be

smoothed out by its CACC.

We are particularly interested to estimate system-of-system parameters. For

this purpose, we assume that each platoon vehicle Viadopts the same common

global time headway H W , so that HW =H W i. Now we can ask: what is the

smallest value H Wmin we can choose for HW which ensures safe driving for

all vehicles Viunder all possible modes of behavior6? By safe driving, we can

assume as a minimum condition crash-free driving, but obviously this criterion

could be strengthened. The value HWmin we term the minimum safe global time

headway. An estimate of HWmin is easily obtained by LBT if communication

between vehicles is perfect, as the SUT is then completely deterministic.

When communication is imperfect then message packet loss is modeled stochas-

tically and the SUT is no longer deterministic. Although most model checkers

(including NuSMV) cope well with non-determinism, currently, LBTest uses ML

algorithms for deterministic automata only. To address this learning problem

we inferred a set of deterministic models which support analysis of the average

case behavior of the SUT. This seems pertinent, as the worst case SUT behavior

involves catastrophic loss of all message packets. An alternative for future re-

search would be to directly apply ML algorithms for non-deterministic or even

probabilistic automata. (See Section 7.)

The integration of two control algorithms for high-speed cruising and emer-

gency braking requires corresponding integration testing to ensure that no un-

wanted interactions can occur between these algorithms. In principle, high-speed

cruising can bring the entire platoon to a state where emergency braking can-

not be carried out safely. Such problems (if they occur) might be addressed

by choosing a larger global time headway, so that unsafe states were no longer

reachable. Thus one way to structure integration testing is to view it as an es-

timation problem for HWmin such that platooning is safe for both cruising and

emergency braking with high probability.

To conduct parameter estimation for HWmin, the following protocol was

implemented in LBTest. As in [22], we focused on emulating the lead driver

behavior, since all follower vehicles autonomously adapt to this. Each test case

5Assuming Vi+1 maintains its speed at time t.

6Clearly HWmin is a function of the many individual parameters of each vehicle Vi

such as its weight, braking power etc. Diﬀerent values of HWmin will thus be ob-

tained if individual vehicle parameters are changed. For simplicity, we have assumed

ahomogeneous platoon, i.e. all vehicle parameters are the same.

tc for an N-vehicle platoon consisted of a sequence tc = (r1, r2, ..., rλ) of lead

driver accelerator, brake or emergency brake commands rj. Each such command

was one of: (i) a brake command (-1.88 m/s2), (ii) an accelerate command (1.25

m/s2), (iii) a neutral command (0 m/s2), or (iii) an emergency brake command

(-2.22 m/s2). The initial estimate of HWmin was bounded between 0.5 and 2.0

seconds.

For each test case tc = (r1, r2, ..., rλ), the length λand torque requests rj

were chosen dynamically both by the learning algorithm and the equivalence

checker. For eﬃciency reasons, model checking was not used until after learn-

ing was concluded. Thus model checking counterexamples did not inﬂuence the

analysis. The test case length λtook an average value of 18.3. On average, ran-

dom test cases amounted to 2.3% of the entire test set. This compares with

100% in the case of Monte Carlo parameter estimation. Thus 97% of test cases

were generated deterministically by ML to explore the state space of the SUT.

The communication wrapper loaded and executed each test case tc. Each torque

request value rjwas maintained constantly for a nominal 5 seconds (5000 sim-

ulation cycles). Thus the length of the simulation corresponding to tc was 5λ

virtual seconds. The values chosen for λwere suﬃcient to reach high cruising

speeds, in excess of 120 km/h.

The principle SUT output recorded for the test case tc was the time sequence

of inter-vehicle gaps xi

r,0, . . . , xi

r,λ, for each pair of vehicles Vi,Vi+1. Here, the

time sequence term xi

r,t, for 0 ≤t≤λ, represents the gap between the host-

target pair, Viand Vi+1 measured at the end7of 5tvirtual seconds (i.e. 5000t

simulation cycles). The continuous values of each distance observation xi

r,t were

partitioned within the communication wrapper into three discrete equivalence

classes:

good,tooClose,crash,

based on host and velocity dependent distance boundaries.

To represent the physical system state of the platoon we also observed the

lead vehicle velocity values v1

0, . . . , v1

λand acceleration values a1

0, . . . , a1

λat the

same observation times. These continuous valued observations were partitioned

into 1 km/h and 1 km/h2equivalence classes.

During test sessions, each test case constructed by LBTest brought the entire

platoon into a high speed cruising mode (using a sequence of non-random or

random acceleration and braking commands). The test case would then issue the

emergency brake command efollowed by a sequence of neutral commands 08.

By alternating brake and acceleration commands, each test case could establish

diﬀerent global dynamics in the platoon at the moment of emergency braking.

For example, by choosing to evaluate the simple PID algorithm for CACC of [16],

we were able to observe compression waves where some vehicles were decelerating

while others were accelerating. When the choice of global time headway HW fell

7It is also possible to use SUT observations between the output cycles by thresholding.

This can yield greater accuracy, but this approach was not taken here.

8These terminating neutral commands 0 were redundant by the design of CEBP, but

extended the test case until the platoon was stopped.

below the minimum safe global headway HWmin then at least one failed test case

could be observed. Since some of these failed test cases exhibited compression

waves, we concluded that compression is an important non-linear dynamic for

certain CACC designs. This observation concurs with the extensive literature

regarding string stability and ACC design, e.g. [28].

The safety requirement for collision free travel was expressed in LTL as

always(

N−1

^

i=0

Gapi>0).(Eq 1)

This formula expresses that a platoon of size Nis safe, since Gapirepresents

the i-th inter-vehicle time headway between vehicles Viand Vi+1. Notice that

the time headway tis not explicitly represented in this formula. Nevertheless,

tclearly inﬂuences Requirement Eq 1 as too short a headway leads to crashes.

Furthermore, tmonotonically inﬂuences Eq 1, since every platoon trajectory

with a minimum time headway tis also a legitimate trajectory for a minimum

time headway of t0≥t. So parameter estimation using a bisection method is

valid for this problem.

2 3 4 5 6

0.5

1.0

1.5

2.0

Number of vehicles N

HWmin [seconds]

no packet loss

motorway packet loss

Fig. 4: Minimum safe global time headway HWmin for diﬀerent platoon sizes N and

two packet loss rates.

The minimum safe global time headway HWmin was estimated for two dif-

ferent wireless communication scenarios. In the ﬁrst, perfect data transmission

was assumed in order to derive a baseline time headway value. In the second,

the packet loss model (c.f. Section 5) with parameters derived from the mea-

surements of packet loss described in Section 2 was used. P ER base and average

increase per vehicle hop was chosen from the motorway scenario: 3.67 % and

18.6 % respectively. These values were the basis for a linear regression model to

calculate the probability of a packet being lost.

The minimum safe global time headway HWmin for these two scenarios was

estimated for platoon sizes N= 2, ..., 6 to study its variation with platoon size.

The results can be seen in Figure 4. Signiﬁcant is the observation that in both

scenarios HWmin reaches a maximum value. This can be interpreted to mean

that both the CACC and CEBP algorithms are scalable to large platoon sizes.

7 Conclusions

In this paper we have addressed a challenge in the area of cooperative cyber-

physical systems (Co-CPS) which is to quantitatively estimate safety related

parameters for a system-of-systems. An inherent problem here is the signiﬁ-

cant system complexity which calls for novel analysis techniques that can even

deal with the case where components may be ”black box”, i.e. their design and

construction are not always known. Thus a black-box approach to parameter

estimation based on learning-based testing (LBT) has been applied, and imple-

mented using the tool LBtest.

To illustrate and evaluate our approach we have presented a case study in the

area of vehicle platooning. This case study consisted of a platooning simulator

integrated with a CEBP - a distributed protocol for coordinated emergency brak-

ing. The minimum safe global time headway for this platooning simulator was

found for diﬀerent platoon sizes, both with and without lossy communication.

Future research could expand this case study, for example by considering

the eﬀects of time variant communication quality, and compare schemes, such

as multi-hop communication, to improve packet reception. This would increase

probability of reception, but latency will scale with the number of hops. We

could also study the behavior of non-homogeneous platoons.

Future research could also improve the eﬃciency and accuracy of the LBT

algorithms used here in the case of non-deterministic SUT behavior. For such be-

havior, it is possible to directly implement machine learning algorithms for non-

deterministic and probabilistic automata (see e.g. the survey [2]). This would

avoid the need to estimate parameter values using several experiments. Further-

more, by learning probabilistic automaton models it may even be possible to

estimate the statistical distribution of a parameter value by means of statistical

model checkers such as PRISM [34]. Finally, our LBT approach could be em-

pirically compared with Monte Carlo based approaches, regarding accuracy and

reliability of parameter estimates.

Acknowledgement

The research leading to these results has been performed in the SafeCOP project,

that received funding from the ECSEL Joint Undertaking under grant agreement

692529, and from Vinnova Swedish national funding. The work was partially

performed in the Next Generation Electrical Architecture (NGEA) step2 project,

funded by the Vinnova FFI-programme. We express special thanks for valuable

comments to Magnus Jonsson and Alexey Vinel of Halmstad University.

References

1. Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput.

75(2), 87–106 (Nov 1987)

2. Bennaceur, A., Meinke, K.: Machine learning for software analysis: Models, meth-

ods, and applications. In: Machine Learning for Dynamic Software Analysis: Poten-

tials and Limits. Lecture Notes in Computer Science, vol. 11026, pp. 3–49. Springer

(2018)

3. Bergenhem, C., Shladover, S., Coelingh, E., Englund, C., Shladover, S., Tsugawa,

S.: Overview of platooning systems. In: Proc. 19th ITS World Congress, Vienna,

Austria (October 2012)

4. van den Bleek, R.: Design of a Hybrid Adaptive Cruise Control Stop-&-Go system.

Master’s thesis, Technische Universiteit Eindhoven, Department of Mechanical En-

gineering (2007)

5. Bohm, A., Jonsson, M., Kunert, K., Vinel, A.: Context-Aware Retransmis-

sion Scheme for Increased Reliability in Platooning Applications, pp. 30–42.

Springer International Publishing, Cham (2014), http://dx.doi.org/10.1007/

978-3-319-06644- 8_4

6. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M.,

Sebastiani, R., Tacchella, A.: NuSMV 2: An OpenSource Tool for Symbolic Model

Checking, pp. 359–364. Springer (2002)

7. Colin, S., Lanoix, A., Kouchnarenko, O., Souquieres, J.: Using CSPIIb Compo-

nents: Application to a Platoon of Vehicles, pp. 103–118. Springer (2009)

8. Dolk, V.S., Ploeg, J., Heemels, M.: Event-triggered control for string-stable vehi-

cle platooning. IEEE Transactions on Intelligent Transportation Systems 18(12),

3486–3500 (Dec 2017)

9. El-Zaher, M., Contet, J., Gruer, P., Gechter, F., Koukam, A.: Compositional veriﬁ-

cation for reactive multi-agent systems applied to platoon non collision veriﬁcation.

Stud. Inform. Univ. 10(3), 119–141 (2012)

10. European Telecommunications Standards Institute: Intelligent Transport Systems

(ITS); Access layer speciﬁcation for Intelligent Transport Systems operating in the

5 GHz frequency band. EN 302 663 V1.2.1, ETSI (July 2013)

11. Feng, L., Lundmark, S., Meinke, K., Niu, F., Sindhu, M.A., Wong, P.Y.H.: Case

Studies in Learning-Based Testing, pp. 164–179. Springer (2013)

12. Fisher, M.: An Introduction to Practical Formal Methods Using Temporal Logic.

Wiley Publishing (2011)

13. Giordano, G., Segata, M., Blanchini, F., Cigno, R.L.: A joint network/control

design for cooperative automatic driving. In: 2017 IEEE Vehicular Networking

Conference (VNC). pp. 167–174 (Nov 2017)

14. De la Higuera, C.: Grammatical inference: learning automata and grammars. Cam-

bridge University Press (2010)

15. IPG Automotive: Brochure about CarMaker, TruckMaker and MotorcycleMaker.

https://ipg-automotive.com/pressmedia/media-library/ (20018), [Online; ac-

cessed 11-June-2018]

16. Kakade, R.S.: Automatic Cruise Control System. Master’s thesis, Indian Institute

of Technology, Department of Systems and Control Engineering, Mumbai (2007)

17. Kamali, M., Dennis, L.A., McAree, O., Fisher, M., Veres, S.M.: Formal veriﬁcation

of autonomous vehicle platooning. Science of Computer Programming 148, 88–106

(2017)

18. Karlsson, K., Carlsson, J., Larsson, M., Bergenhem, C.: Evaluation of the v2v

channel and diversity potential for platooning trucks. In: Antennas and Propaga-

tion (EuCAP) Proceedings of the 10th European Conference, Davos, Switzerland,

11-15 April, 2016. (2016)

19. Khosrowjerdi, H., Meinke, K.: Learning-based testing for autonomous systems us-

ing spatial and temporal requirements. In: Proc. 1st International Workshop on

Machine Learning and Software Engineering in Symbiosis. IEEE (2018)

20. Liang, K.Y., M˚artensson, J., Johansson, K.H.: Heavy-duty vehicle platoon forma-

tion for fuel eﬃciency. IEEE Transactions on Intelligent Transportation Systems

17(4), 1051–1061 (April 2016)

21. Meinke, K., Sindhu, M.A.: Incremental learning-based testing for reactive systems.

In: Gogolla, M., Wolﬀ, B. (eds.) Tests and Proofs: 5th International Conference,

TAP 2011, Proceedings. pp. 134–151. Springer (2011)

22. Meinke, K.: Learning-based testing of cyber-physical systems-of-systems: A pla-

tooning study. In: Computer Performance Engineering - 14th European Workshop,

EPEW 2017, Berlin, Germany, September 7-8, 2017, Proceedings. pp. 135–151

(2017)

23. Meinke, K., Sindhu, M.A.: Incremental learning-based testing for reactive systems.

In: Tests and Proofs - 5th International Conference, TAP 2011, Zurich, Switzerland,

June 30 - July 1, 2011. Proceedings. pp. 134–151 (2011)

24. Meinke, K., Sindhu, M.A.: Lbtest: A learning-based testing tool for reactive sys-

tems. In: Proceedings of the 2013 IEEE Sixth International Conference on Software

Testing, Veriﬁcation and Validation. pp. 447–454. ICST ’13, IEEE Computer So-

ciety (2013)

25. Murthy, D.K., Masrur, A.: Braking in close following platoons: The law of the

weakest. In: 2016 Euromicro Conference on Digital System Design (DSD). pp.

613–620 (Aug 2016)

26. Oncu, S., Van de Wouw, N., Heemels, M., Nijmeijer, H.: String stability of in-

terconnected vehicles under communication constraints. In: Decision and Control

(CDC), 2012 IEEE 51st Annual Conference on. pp. 2459–2464. IEEE (2012)

27. Peled, D.A., Vardi, M.Y., Yannakakis, M.: Black box checking. In: Formal Methods

for Protocol Engineering and Distributed Systems, FORTE XII / PSTV XIX’99,

IFIP TC6 WG6.1. pp. 225–240 (1999)

28. Swaroop, D., Hedrick, J.: String stability of interconnected sys- tems. IEEE Trans.

on Automatic Control 41, 349–357 (1996)

29. Trochez, D., Tsakalos, A.: Adaptive Cruise Control Implementation with Constant

Range and Constant Time-Gap Policies. Master’s thesis, KTH Royal Institute of

Technology, EECS School (2017)

30. Valiant, L.G.: A theory of the learnable. Commun. ACM 27(11), 1134–1142 (Nov

1984)

31. Vinel, A., Lyamin, N., Isachenkov, P.: Modeling of v2v communications for c-its

safety applications: a cps perspective. IEEE Communications Letters (2018)

32. van Willigen, W.H., Schut, M.C., Kester, L.J.H.M.: Evaluating adaptive cruise con-

trol strategies in worst-case scenarios. In: 2011 14th International IEEE Conference

on Intelligent Transportation Systems (ITSC). pp. 1910–1915 (Oct 2011)

33. Willke, T.L., Tientrakool, P., Maxemchuk, N.F.: A survey of inter-vehicle commu-

nication protocols and their applications. Commun. Surveys Tuts. 11(2), 3–20 (apr

2009), http://dx.doi.org/10.1109/SURV.2009.090202

34. Younes, H.L.S., Kwiatkowska, M.Z., Norman, G., Parker, D.: Numerical vs. statis-

tical probabilistic model checking. STTT 8(3), 216–228 (2006)